IETF Logo Mail Archive

[Ace] Review for draft-palombini-ace-coap-pubsub-profile

Cigdem Sengul <cigdem.sengul@gmail.com> Fri, 29 November 2019 16:12 UTC

Return-Path: <cigdem.sengul@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 134A112098B for <ace@ietfa.amsl.com>; Fri, 29 Nov 2019 08:12:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id obKbaxrHc1GO for <ace@ietfa.amsl.com>; Fri, 29 Nov 2019 08:11:58 -0800 (PST)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56F9F12098C for <ace@ietf.org>; Fri, 29 Nov 2019 08:11:58 -0800 (PST)
Received: by mail-qt1-x82c.google.com with SMTP id z22so12086552qto.7 for <ace@ietf.org>; Fri, 29 Nov 2019 08:11:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Ca2ZQ4fgt4flDlKHH+d60m43uJi2TsYGAtX7xCS15XI=; b=L86+TDcTmaO51ake/1ELp+7OeAfmtLvj1GOxGVBsD/p8mIlwpe7kHWmjfC0sxhwQCz 36ds5tqc2uUPzc0bGttAJlgzrBQe/FJ/T/KKn8kbkLGaXw5ZaLiqbVLqwQ2rwLna1UjL DB1b8+hKu2ldAHXHLb2+KxUdtDsbUCkrq4GmMx0x5KvJwA07ilzYZ0S6zipQQyk/1Usk ltqYsE3vYZkKOH8XKOfdgaG14qjzh/9gbelvjPa5LjGq7ideMskBvQMMkcU5eK8h5G2V vO5z6stvDfZ6/lYo/hkXD/v/JiWJbAFZ449ora8Wr1mMNx5Y61IRnFzIRJ5BX1QY2WNx U3cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Ca2ZQ4fgt4flDlKHH+d60m43uJi2TsYGAtX7xCS15XI=; b=M+tNjmaLrQEKpRCLdzZ7SyNXUyFKyLN6AQaooCr7naJ7hxLeGl0SJcUh55+kBOQbYe g7WVMVBEpAC1uJs7THfS6aSrsiZ9e46I631gIDPrJvw0WPk5TmqwP9GZHJJp48UPlS5Z BkxQMU5xSmMtVNIHUdjlGdXLtJXPFix1VMmnW5tdtTUBl32vvtn9UgbV6aEkiNZ0t2fv QyNH5q+8gc6cvd/8QVqrTsQLkrT6zpHNLyZDayHnQCiVN3X6FrBMpk+2m1tsrAQsyDWH NmWkLlFKQKV6L/q8bovcID4SJLeFweptDFxqYfLyyqW34aSaZVIvbWWVZORc6BiIjTcM QOFQ==
X-Gm-Message-State: APjAAAWjXviU6ozsQ9WR51stVNHK5PknfmeUaBXhyTQvg0kAwqPNn9vI LU5laWiDaVTnGH0ObPZo7Nn8H9y8oNnH6nd2harN0wfBCEsFlw==
X-Google-Smtp-Source: APXvYqy/YzT48Igz8WUNbJ2ZuYHYQfvsuAzTi9TOkc/qNdTupdsoClW9ZdabXnjOuwSFqGqUq+tD6afzI+8jAFrqcQc=
X-Received: by 2002:aed:2047:: with SMTP id 65mr35829573qta.78.1575043916940; Fri, 29 Nov 2019 08:11:56 -0800 (PST)
MIME-Version: 1.0
From: Cigdem Sengul <cigdem.sengul@gmail.com>
Date: Fri, 29 Nov 2019 16:11:45 +0000
Message-ID: <CAA7SwCMhdOctrzQqGAUz4-z7SvKfKZLErAJT88eSDwCMedg-rg@mail.gmail.com>
To: Ace Wg <ace@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002ccfac05987e7d99"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/2kke93VGLsKV9sItrECbJS2oZwg>
Subject: [Ace] Review for draft-palombini-ace-coap-pubsub-profile
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2019 16:12:02 -0000

Hello,


As I remotely promised in the WG meeting in Singapore, here is my review of
the pubsub-coap document.


When reviewing the document, I have kept two things in mind: how the
document reads now, and whether it can easily be extended to include MQTT
as well.  I’ve understood including MQTT is in scope for this document in
the workgroup meeting in Singapore. I would be happy to help, if you need
me to, for MQTT-specific contributions to this draft.  Doing this would
allow the mqtt_tls profile to progress independently of this document by
stating that content protection is out of scope for mqtt_tls profile and
referring to this document for a solution.


I want to repeat my support for the adoption of this profile, as it
addresses a significant problem for publishers to constrain the content of
their publications to only their subscribers. It does handle the multiple
publishers to a single topic case well (allowing subscribers to learn about
all the publishers to a specific topic).


In the following, I list a few things reading the draft made me think,
especially in its applicability to MQTT:

(1) What is planned to make this document a generic pubsub solution? Will
there a generic architecture section, and specific descriptions for each of
the protocols?

For instance, if an MQTT client implements this,  the client would talk to
AS1 to get a token based on the way we describe in the mqtt-tls profile,
and then get keying material for topics from AS2.

I expect the MQTT client would use a different profile name like
mqtt_tls_app to signal to AS1 that it is supporting the application layer
security. This is because the draft hints that there should be a policy
agreement between AS1 and AS2: “Note that AS1 and AS2 might either be
co-resident or be 2 separate physical entities, in which case access
control policies must be exchanged between AS1 and AS2, so that they agree
on rights fo  joining nodes about specific topics.”


(2) If we keep AS1 as the mqtt-tls profile AS, then for consistency sake,
the MQTT client would expect to talk to HTTPS to AS2, but the coap-pubsub
draft describes these, expectedly, in CoAP. Will there be support for HTTPS?


(3) In the mqtt_tls profile, the AS grants tokens that identify both
“publish” and “subscribe” rights and the topics by adding scopes in the
format, e.g. “publish_topic1” “subscribe_topic2/#”.  This format allows
representing all publish/subscribe permissions concisely for the client
which may be acting both as a publisher and a subscriber.

In the coap-pubsub, this is separated between AS1 and AS2. “AS1 hosts the
policies about the Broker: what endpoints are allowed to Publish on the
Broker.” “The AS2 hosts the policies about the topic: what endpoints are
allowed to access what topic. “

The coap-pubsub also permits that AS1 can host policies about what
endpoints are allowed to Subscribe to the Broker.


However, wouldn’t this separation between AS1 and AS2 have the following
issue: Publisher P, having the permission to publish to topic1 and hence,
successfully getting an access token from AS1, then goes ahead and sends a
PUBLISH on topic 2, which it doesn’t have a right to publish.

Wouldn't the broker would pass this message to subscribers, and the
subscribers would discard the message because the publisher does not belong
to their “publishers list” (subscribers have all the public keys of all
publishers). Have I missed something, does the draft protect against this
at the broker?


Differently, with the current way mqtt_tls scopes are described, AS1 would
need to know not only who can publish or subscribe, but also the policies
on topics.


(4) That brings me to another point regarding this note in coap-pubsub
profile. The profile says: “How the policies are exchanged [between AS1 and
AS2] is out of scope for this specification.” I wonder whether the token
the client gets from AS1 should also be usable towards AS2, and AS2 is
replaced with an RS for retrieving the keying material for topics (more on
this later), i.e., AS2 does not need to host/manage/coordinate policies
with AS1.


(5) Regarding groups and group memberships, it seems like for the draft
group = a single topic.


In MQTT, topics can have level separators and multi-level (#) and
single-level (+) wildcards.  Similarly, CoAP would also have hierarchies.


Consider the case when a PUBLISHER is allowed to publish to
sport/tennis/player1/# but not sport/tennis/player2/#.  The players'
directory may have sub-levels like “rankings”.

And a subscriber has permissions to get content from sport/tennis/#.

It seems like sport/tennis/player1 would be a group, and
sport/tennis/player2 be another group.

And, the subscriber needs to be in two groups. This is fine, I believe,
according to this document.


In MQTT token scopes, we also accepted that a publisher represents its
PUBLISH rights with topic filters (note a PUBLISH message cannot be sent to
a filter, but the topic filters are useful in summarising permissions).

Let’s assume there is a publisher with scope
“publish_sport/tennis/+/rankings“?

Then being a part of all groups (player 1 and player2) is too general as
this publisher cannot publish to everything but only to “rankings”.


Another approach could be each publisher creating its group. This way the
number of groups scales with the number of publishers (and the COSE keys is
per publisher).

So, the subscriber still asks permissions for and subscribes to topic
filters.

There needs to be a solution that maps the topics to a publisher list...

AS1  (see my earlier discussion on who keeps the policy information) knows
who has the right to publish to these topics in their policy database and
has the public key information for them. AS2 hosts the COSE key for this
publisher.


Putting all this information together,  when a message is received, the
subscriber would use the publisher's public key to verify the publisher
signature (the draft already supports this), then locate the symmetric key
it received from the AS2 for this publisher to decrypt the message.



Would there be any problems with this approach?


Nits:

Figure 2: Negociation -> Negotiation


Kind regards,

--Cigdem

v2.23.0 | Report a Bug | By Email